June 6, 2012

Why LinkedIn's Password Leak Endangers Security Across The Web

Using the same password over and over again, across many sites, is extremely common. We’re not sure how common — estimates range between 10 percent and 50 percent of all passwords are re-used — but I would be shocked if more than a small portion of LinkedIn users hadn’t re-used their LinkedIn password at least once.

Which means, in the wake of the release of 6.46 million hashed (encrypted) LinkedIn passwords, Google probably has thousands of new breaches of Gmail to look forward to. Password re-use is by far the easiest way to breach accounts on otherwise secure sites. (Email addresses aren’t hard to track down, and trying a password harvested from elsewhere can be automated.)

This means it’s time for me to trot out my well-worn PSA about how, if you must re-use passwords rather than using a secure password management program like 1password, at least you can do it in a way that won’t lead to a catastrophic loss of your online security.

Basically, the idea is that you make sure that the passwords you use for your most important accounts — bank, email, etc. — are totally unique. Every other site for which a breach is merely an annoyance, re-use passwords as you please. The full post.